On Thu, Oct 29, 2020 at 10:31:12PM -0400, Alex wrote:
> > Yes. If you weant to separate outbound mail streams, use multiple
> > instances with:
> >
> > http://www.postfix.org/BASIC_CONFIGURATION_README.html#myhostname
> > http://www.postfix.org/BASIC_CONFIGURATION_README.html#mydomain
> > http://www.postfix.org/BASIC_CONFIGURATION_README.html#inet_interfaces
>
> Okay, after some reading and hair pulling, I decided to give it a
> shot, and made some progress. A few questions, please.
It would be useful to post the outpuf of "postmulti -l" so we know what
you're talking about. And then the output of:
# for i in $(postmulti -l | awk '$3 == "y" {print $1}')
do
postmulti -i $i -x postconf multi_instance_name inet_interfaces
master_service_disable
done
which will show the inet_interfaces and disabled services for each
enabled instance.
> # netstat -ntap|grep LISTEN|grep master
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
> 401001/master
That'd be either inet_interfaces, or an explicit master.cf entry.
> Is there a diagram that shows the flow of data from the internet
> through to the first instance, content filter, then out?
You've just described it. Can you ask a more specific question?
Each Postfix instance behaves like a full-blown independent MTA,
they just happen to run on the same machine. You can forward
traffic between them via SMTP.
For any given IP address and TCP port, at most one Postfix instance can
listen on that IP and port, and if the port is used with a wildcard
listener, then that generally precludes using it with specific IPs.
> I have an existing system that uses amavisd, clamav and spamassassin
> using "content_filter = smtp-amavis:[127.0.0.1]:10024". Just to be
> sure, this (along with my postscreen and smtpd_recipient_restrictions)
> goes in postfix-in, correct?
With multiple instances one you don't actually need a "content_filter",
you can instead arrange for the transport table and/or local_transport,
virtual_transport, relay_transport, default_transport (whichever are
applicable) to hand mail off to the filter port. But you can continue
to use content_filter if you like.
You still need smtpd_relay_restrictions on the "out" instance, typically
just allowing 127.0.0.1 and nothing else. All the other restrictions
can be empty.
> I don't understand what this from the MULTI_INSTANCE doc is for. Under
> what circumstances do I need this? Should this instead be the
> smtp-amavis service from my master.cf? Should I be able to drop in my
> existing master.cf to use in postfix-in?
Pretend you have 3 separate machines, one running "postfix-in", a
second running amavis, and a third running "postfix-out". Just
arrange to pass mail through all three in the right sequence.
The only thing different with multiple instances is that all three
are on the same OS instance, and some of the input and output IPs
are loopback addresses.
> # Replace default "smtp inet" entry with one listening on port 10026.
> 127.0.0.1:10026 inet n - n - - smtpd
Post-amavis mail would typically be received by postfix-out.
> My master.cf:
> smtp-amavis unix - - n - 2 smtp
> -o smtp_data_done_timeout=1200
> -o smtp_send_xforward_command=yes
> -o disable_dns_lookups=yes
> -o max_use=20
The "disable_dns_lookups" thing is long obsolete, and "max_use=20" is
unnecessary. With multiple instances, this can just be the "smtp"
transport of the "postfix-in" instance. It punts *everything* to
amavis.
> 127.0.0.1:10025 inet n - n - 2 smtpd
> -o content_filter=
> ...
> -o
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
> -o local_header_rewrite_clients=
This goes in "postfix-out" and instead of all the overrides, just apply
the settings in main.cf instead. And you don't need "no_milters", just
don't define any milters you don't need. Again think three separate
machines, each configured for the task at hand. Your current
configuration is mostly distraction, start clean.
--
Viktor.
